[Yeti DNS Discuss] 答复: Notes from Yeti 2nd Virtual meeting

Davey Song(宋林健) ljsong at biigroup.cn
Tue Mar 29 02:27:10 UTC 2016

Hi David, Thanks for your clarification.  We will check ICANN DPS more carefully.


发件人: David Conrad [mailto:drc at virtualized.org] 
发送时间: 2016年3月26日 11:45
收件人: Davey Song
抄送: discuss at lists.yeti-dns.org
主题: Re: [Yeti DNS Discuss] Notes from Yeti 2nd Virtual meeting


Shane mentioned the IANA KSK roll status:


 <http://yeti-dns.org/resource/2016-03-24/2016-03-24-icann-ksk-roll.pdf> http://yeti-dns.org/resource/2016-03-24/2016-03-24-icann-ksk-roll.pdf


Um.  From that presentation:


"Root KSK DPS: roll every 5 years – Signed 2010-07-15 (> 5.5 years ago... oops!)"


The actual ICANN KSK DPS policy statement (the first sentence of section 6.5 of https://www.iana.org/dnssec/icann-dps.txt) says:


"Each RZ KSK will be scheduled to be rolled over through a key ceremony as required, or after 5 years of operation."


(emphasis added). It does NOT say "roll every 5 years".


We're in the process of developing the necessary plans and processes to attempt to safely and responsibly roll the KSK _after_ 5 years as the DPS requires.  As every validating resolver on the planet will need to update their trust anchor in response to this roll, you can probably imagine that this is a non-trivial exercise when you're talking about not disrupting the production Internet (or at least 25% or so of that Internet that is currently validating responses) upon which trillions of dollars of GDP depend.


We anticipate providing more details on the plans for the KSK roll in the near future.






-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.yeti-dns.org/pipermail/discuss/attachments/20160329/c7077fc4/attachment.html>

More information about the discuss mailing list